Adding trusted-keys to named.conf
Mark Andrews
marka at isc.org
Thu Feb 28 23:21:50 UTC 2013
In message <512FB319.7030404 at htt-consult.com>, Robert Moskowitz writes:
> I MAY be doing something wrong, or my problem is elsewhere...
>
> In zone htt. I have the DNSKEY RR:
>
> htt. IN DNSKEY 257 3 7
> AwEAAfEIWjDoEesqC4NLAwNFgviq+IGbUFmnFn0/2L8UvLWMjYiGFETi
> NyA4CVaaG4GMekSJM8dI0FepyIKurxAhYzyV+phS5C6MoVmnYdF27dkP
> qS0pFDZ/Hpp25qTrKIUjcqvxgECP1ArXa7yyE7/xWzQjH9nk5gEnad6w
> Gy41lRnv3/UPtkxw669V2Ikb1NLAB5XnAzpTc4Tm7QPRPtbN8+FKWyYW
> Ie9/nYKf67vSrlwbxRFbb27GeEmnrqMtsLkSFP1zDoUbmgJs3yiVjFCD
> 8hRYlbOA9lgAMbOGm4tNsLOFx0vyBZEVtdh4l/YDAaklygtR+f60271X
> DHWaC4U/VYrHRidg2krM+UpPhjqn3aPJFIyyKEEE66cMSlf7ROL71w==
>
> So in my caching server's named.conf I added at the end:
>
> include "/etc/named.trusted.key";
>
> and this contains:
>
> trusted-keys {
>
> # DNSKEY for htt zone.
>
> htt. 257 3 7
> "AwEAAfEIWjDoEesqC4NLAwNFgviq+IGbUFmnFn0/2L8UvLWMjYiGFETi
> NyA4CVaaG4GMekSJM8dI0FepyIKurxAhYzyV+phS5C6MoVmnYdF27dkP
> qS0pFDZ/Hpp25qTrKIUjcqvxgECP1ArXa7yyE7/xWzQjH9nk5gEnad6w
> Gy41lRnv3/UPtkxw669V2Ikb1NLAB5XnAzpTc4Tm7QPRPtbN8+FKWyYW
> Ie9/nYKf67vSrlwbxRFbb27GeEmnrqMtsLkSFP1zDoUbmgJs3yiVjFCD
> 8hRYlbOA9lgAMbOGm4tNsLOFx0vyBZEVtdh4l/YDAaklygtR+f60271X
> DHWaC4U/VYrHRidg2krM+UpPhjqn3aPJFIyyKEEE66cMSlf7ROL71w==";
>
> };
>
> And I am still getting:
>
> Feb 28 14:35:17 klovia named[24806]: validating @0xb4855220: htt SOA:
> got insecure response; parent indicates it should be secure
The forwarders are not DNSSEC enabled. "parent" here means named.conf.
>From the recursive server run
dig @forwarder +dnssec htt soa
This should work and have RRSIG records. Do some other queries also
with +dnssec. negative responses should have NSEC/NSEC3 records if
they are coming from a signed zone.
> The logged for starting named does have:
>
> Feb 28 14:35:00 klovia named[24806]: managed-keys-zone ./IN: loaded
> serial 103
managed-keys in named.conf are just the initial keys used as the
starting point for RFC 5011 style trusted key managment. The runtime
keys are pulled from a seperate database. That message says that
the serial number for that database is 103.
> but nothing about trusted-keys loaded. In the
> http://www.isc.org/software/bind/documentation/arm95 it shows the
> trusted-keys clause before the global options. Does order matter; it
> seems to for ACLs? Is there something else I am missing?
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list